KT-4 tokens
Overview
The KT-4 Keychain token generates a new, pseudo-random passcode each time the token is activated. The token is activated by pressing the button located to the right and below the LCD display.
A KT-4 PIN consists of a string of 3 to 8 characters that is used to guard against unauthorized use. If PIN protection is enabled, the user must provide a PIN with the one-time passcode to authenticate.
Token control
Depending upon the options enabled in the token, the user may be permitted to enter a PIN, change his PIN, or resynchronize the token. These actions require the use of the button to accept options presented to the user through the LCD display. The token provides prompts and allows the user to input the digits 0 through 9, the letter E, and the symbol ┤.
Where input is required, the token cycles through the input options. When the correct digit, letter, or symbol is displayed, the user pushes the button to accept the input. For example, to input the PIN 123, the user should press the button 3 times, once after each of the numbers 1, 2, and 3 is displayed, respectively, followed by E.
Pressing the button when the letter E is displayed indicates to the token that the user will provide no additional input. Pressing the button when the ┤ symbol is displayed erases the input immediately to the left of the symbol. This is used to correct input error.
Using a KT-4 token
Every time you need to log on using an OTP, firmly push and quickly release the button to the right of the LCD display. A token code is displayed for approximately 60 seconds. To log on, enter your security PIN followed by the token code into the appropriate Password field.
Remember, every time you need to log on, you must press the button on your KT-4 token to generate a unique token code. Your password for logon is your security PIN followed by the token code that is displayed on your KT-4 token.
If your token shuts off while you are copying the token code, simply generate a new token code by firmly pressing the button and quickly releasing it. Enter your security PIN and the displayed token code into the appropriate field and log on as normal.
Your responsibilities
Using a KT-4 token not only provides security, it also simplifies your life by reducing or eliminating the need to remember or periodically change passwords. Your token generates a new token code for you every time you need to log on.
To use your token properly, ensure that you follow the guidelines in this section.
Protect your token
Your token is a primary security device designed to protect you and the resources you access. Keep it with your car keys or purse or other valuable items that you use on a regular basis to minimize the potential to forget it. If you do forget your token, contact your network administrator or help desk.
Protect your security PIN
Protect your security PIN just as you would the PIN for your bank or credit card. Never share it with anyone, including people you trust. Your network administrator and help desk never ask for your security PIN and you should never reveal it to them. Never write down your security PIN.
Change your security PIN
If you wish to change your PIN, or are concerned that it has been compromised, go to the Self-Service website and choose the Change PIN option. You are required to authenticate by entering your User Name and OTP (Security PIN and token code). After authenticating, you are prompted to enter and verify a new PIN.
Reset your PIN
If you forget your PIN, you need to have it reset. To reset your PIN, contact your network administrator or help desk. Upon verifying your identity, they are able to reset your PIN to a temporary value. During your next logon, you are required to change this PIN to a new value that only you know.
Store your token
You should keep your token separate from your computer. Do not leave it on your desk or with your computer bag. Treat it as you would your wallet, purse, or credit cards, keeping it with you at all times.
Report a lost token
Report a lost or stolen token immediately by contacting your network administrator or help desk. They take the necessary actions to ensure that the lost token does not present a security risk, and they provide you with a temporary alternative for logging on to the network until you receive a replacement token.
Failed logon
The most common cause of failed logon is entering an incorrect OTP. Never attempt to reuse a token code. Ensure that you enter the token code exactly as displayed on the token, including any uppercase and lowercase letters and punctuation that it may contain. Your account is automatically locked for a few minutes if too many consecutive logon attempts fail. You must wait until your account unlocks before you can attempt to log on again. Contact your network administrator or help desk to resolve logon problems.
Token life
Though there are several factors that affect the battery life of a token, it typically functions for 5-8 years before battery replacement is required. Roughly 2 to 3 months before the battery is exhausted, a low battery warning is displayed for 3-4 seconds before each token code is displayed. You should advise your network administrator or help desk as soon as possible when this warning appears. They provide instructions on replacing the battery.
Token disposal
Think green. Never discard your token. It contains a battery and other materials that should be recycled or disposed of in an eco-friendly manner. Contact your network administrator or help desk for disposal instructions.
Self-enrollment
Self-enrollment is a simple four-step process for activating your token and creating your PIN. When you complete this process, you are able to use your token when you log on.
You receive an email that you can use to initiate the self-enrollment process. If you have not received your self-enrollment email, contact your administrator or helpdesk to arrange for a new email to be sent to you.
To self-enroll a token:
- Use the link in the self-enrollment email to open the self-enrollment site.
- On the self-enrollment site, you are prompted to enter the serial number of your token. This is the 9-digit number displayed on the back of the token.
- Enter the serial number and verify it for accuracy. Click Next to continue.
-
The next web page displays a temporary PIN and prompts you to enter an OTP. Your OTP is the combination of the displayed PIN and the token code generated by your KT-4.
-
On your KT-4 token, firmly push and then quickly release the button to the right of the LCD display. A token code displays for approximately 60 seconds.
- On the web page, in the OTP field, enter the displayed PIN followed by the token code displayed on your KT-4 token. Click Next to continue.
-
The next web page prompts you to create and verify a new security PIN that only you know and that you need to use every time you log on. Instructions on the page indicate the minimum number of characters and other PIN requirements.
-
Enter and confirm a value for the new PIN and then click Next.
A red asterisk “*” is displayed next to the fields if the PINs do not match or do not meet security requirements.
-
The next web page confirms that you have completed enrollment. Click Close.
You can now use your KT-4 token to log on to the protected networks and resources.
Operating modes & options
The KT-4 supports a wide range of operating modes that can be modified using the SafeNet Authentication Service Manager and a USB token initializer, according to organizational and security policy requirements. The PIN length, complexity, and maximum number of incorrect consecutive PIN attempts must be configured during token initialization. If the PIN attempts threshold is exceeded, the token does not generate a passcode and will, depending on the configuration, either require re-initialization or a PIN reset before it can be used again.
A brief list of the more common operating modes follows.
QUICKLog
Password is displayed immediately by token (or after Display Name, if this option is enabled on the Display tab).
Challenge-response
Requires the user to key a numeric challenge into the token before a response is generated.
QUICKLog is the recommended mode for all SafeNet KT, RB and MP series token types because it greatly simplifies the user logon experience and strengthens security by eliminating the requirement to have the user key a challenge into a token to get an OTP. In addition, QUICKLog mode is supported by all systems that require a logon password.
Complexity
- Hexadecimal: Token generates passcodes comprised of digits and letters from 0–9 and A-F.
- Decimal: Token generates passcodes comprised of digits from 0-9.
- Base32: Token generates passcodes comprised of digits and letters from 0-9 and AZ.
- Base64: Token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as other printable characters available via Shift + 0-9.
Length
- Determines the passcode length. Options are 5, 6, 7, or 8 characters. The default value is 8.
Display mask
- Telephone Mode: Replaces the fourth character of a passcode with a dash (-). This is generally used in combination with Response length: 8 characters and Display type: Decimal to resemble the North American telephone number format.
- None: Passcode is displayed as set by Response length and Display type.
Passwords per power cycle
- Single: Only one passcode is provided after the token is activated. The token must be powered off and reactivated to generate another passcode.
- Multiple: The token generates passcodes as required until it is powered off.
The Single password (passcode) per power cycle option is recommended. For applications requiring dual authentication or where multiple consecutive logons are required, select Multiple mode. Note that the Automatic shut-off option powers the token off automatically after the specified time interval elapses.
Manual shut-off
- Yes: User can force token off at any time.
- No: User cannot force token off. The token automatically turns off (based on Automatic shut-off configuration). This setting is recommended when using the KT-4 token.
Auto shut-off
Determines the length of time a passcode is displayed on the token, after which the token display is cleared and the token turned off. Options are 30, 60, and 90 seconds. Also used to prevent the token from being reactivated before expiration of the shut-off period.
PIN Policy group
PIN styles are separated into two general groups: Stored on Server or Token Activated by PIN. The KT-4 also supports a No PIN option, although this is not recommended.
Stored on Server requires the user to prepend the PIN to the passcode displayed on the token. The combination of the PIN and passcode form the password that is used to authenticate the user (the passcode cannot be used to authenticate unless the PIN is prepended). The PIN is not input into the token (i.e., it is not required to activate the token and generate a passcode). When operating in this mode, the PIN can consist of alphanumeric characters.
- No PIN: Means that the user is not required to use a PIN. The token-generated password is sufficient for authentication.
- Fixed PIN: The PIN created for the token at the time of initialization is permanent and cannot be modified by the user or operator. Fixed PIN can only be changed by re-initializing the token after selecting a new PIN value through this tab. This PIN must be entered into the token before a passcode is displayed.
- User selected PIN: The user may change the PIN at any time. The initial PIN set during initialization must be changed by the user on first use of the token. This PIN must be entered into the token before a passcode is displayed. The PIN value selected by the user must be within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options.
- Server-side Fixed: This PIN must be prepended to the passcode. An Operator can change the PIN. This mode emulates SecurID PIN mode.
- Server-side User Select: Periodic PIN change is forced by the server according to the PIN Change Period option. The user determines the new PIN value within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. This PIN must be prepended to the passcode. This mode emulates the SecurID PIN mode.
- Server-side Server Select: Periodic PIN change is forced by the Server according to the PIN Change Period option. The server determines the new PIN value within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. This PIN must be prepended to the passcode. This mode emulates the SecurID PIN mode. Initial PIN modifications for a Stored on Server PIN only become active when Reset Server-side PIN is selected.
Token Activated by PIN requires the user to key the PIN into the token before a passcode is generated. In this mode, only the passcode displayed by the token is sent to the authentication server; the PIN is not transmitted across the network. When operating in this mode the PIN can only consist of numeric characters.
Initial PIN
The initial PIN value required for the token. The value is permanent if Fixed PIN is selected as the PIN Style. This value must be changed on first use of the token for User-changeable PIN. Use the Randomize button to change the initial value to a random number within the limits set under the Random PIN Length, Min PIN Length, and Characters allowed options.
Random PIN length
The minimum PIN length generated when clicking the Randomize button. The valid range is 3–8 characters.
Minimum PIN length
The minimum PIN length required to authenticate. The valid range is 1-8 characters.
Allow trivial PINs
- No: Prevents the use of sequences or consecutive digits/characters longer than two (2). For example, 124 or ABD are permitted; 123 or ABC are not permitted.
- Yes: No sequence checking. For example, 123 is permitted.
Max PIN attempts
- Number of consecutive incorrect PIN attempts permitted. The valid range is 1–7 and unlimited attempts.
- The Unlimited option is available in cases where the PIN is entered into the token.
If this value is exceeded for Stored on Server PINs, authentication will not be permitted until the operator has reset the PIN value. If this value is exceeded for Token Activated by PIN options, the token will be locked and will not generate passcodes until it is physically reinitialized.
Using the KT-4 with PIN stored on server
In this mode (assuming Quick Log mode is being used), the token requires no input data to generate a new, one-time passcode, but the user must prepend his PIN to the passcode displayed by the token in order togenerate an acceptable password.
Generate a passcode
Press the button to activate the token. A one-time passcode is automatically generated. Enter the PIN (e.g., ABCD) and passcode (e.g., 12345678) at the password prompt (e.g., ABCD12345678).
Change PIN
If enabled, this feature permits the PIN to be changed according to the established security policy (applies to PIN Style Stored on Server, User-changeable PIN and Stored on Server, Server-changeable PIN).
The SafeNet Authentication Service enforces a PIN change at regular intervals. Depending on the options selected, the user is prompted to enter a new PIN or is provided with a new PIN generated by the SafeNet Authentication Service. In both cases, the PIN meets the minimum PIN policy requirements (complexity, length, non-trivial, etc.) as configured on the Server. A SafeNet Authentication Service Operator may also force a PIN change for individual users, as required.
When a PIN change is required, the user is be prompted through the process. Once complete, the user must re-authenticate to gain access to protected resources.
Use the KT-4 with token activated by PIN
In this mode, the user must key a PIN into the token before a passcode is generated. The displayed passcode is then used during logon. The KT-4 supports numeric PINs only in this mode. Note that the PIN is not prepended to the passcode and is never sent across the network.
Generate a passcode
Press button to enable token. The token displays the prompt: PIN? #, where # corresponds to:
- The digits 0 through 9 that are used for the PIN. Press the button when the correct digit of the PIN is displayed.
- E, which is used to indicate that all digits of the PIN have been entered. This applies only where the PIN length is 7 or less. Press the button when E is displayed and all digits of the PIN have been entered.
-
┤, which is used to erase an incorrectly entered digit. Press the button to erase the digit to the left of the ┤ symbol.
For example, if the PIN is 123:
Token Displays Action PIN ? Press Button *2 Press Button **3 Press Button ***E Press Button
The token displays the one-time passcode.
User-changeable PIN
If configured, the KT-4 permits the user to change the PIN required to activate the token. The user can change the PIN when the Chg PIN prompt is displayed. When the user keys in the initial PIN (sometimes referred to as the deployment PIN), they are prompted with Chg PIN to immediately change the PIN to a new value, within the parameters of the security policy established during initialization. Thereafter, the user can change their PIN as often as desired:
- Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button.
- The token cycles through a series of prompts: Init, Lcd, Chg PIN, and rESYNC. The prompts and sequence vary depending on the options enabled for the token. Press the button while the Chg PIN prompt is displayed.
- Press the button as each digit of the current PIN is displayed. To accept the entered PIN, press the button when E is displayed.
- At the NuPIN? prompt, use the button to select the new PIN, one digit at a time as the correct digits are displayed. To accept the entered PIN, press the button when E is displayed.
- At the AgAin? Prompt, use the button to re-input the new PIN by repeating step 4.
-
The token displays a PASS message to indicate that the new PIN has been accepted. For example, if the old PIN is 123 and the new PIN is 7835:
Token Displays Action PIN ? Press Button -2 Press Button --3 Press Button ---E Press Button NuPIN? 7 Press Button 78 Press Button 783 Press Button 7835 Press Button 7835E Press Button AgAin? 7 Press Button 78 Press Button 783 Press Button 7835 Press Button 7835E Press Button
Token resynchronization
Token resynchronization requires the user to enter a “challenge” into the token. The challenge must be provided by the Help Desk or via a Web-based resynchronization page.
After the token has been resynchronized, a passcode is being displayed.
In the unlikely event that the token requires resynchronization with the authentication server:
- Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button.
- The token cycles through a series of prompts: Init, Lcd, Chg PIN, and rESYNC. The prompts and sequence vary depending on the options enabled for the token. Press the button while the rESYNC prompt is displayed.
The digits 0 through 9 are displayed sequentially to the right of the rESYNC prompt. For every digit of the resynchronization challenge, press the button to accept the displayed digit.
After the last digit of the “challenge” is entered, double-press the button.
For example, if the resynchronization challenge is 16278371:
Token Displays | Action |
---|---|
rESYNC 1 | Press Button |
16 | Press Button |
162 | Press Button |
1627 | Press Button |
16278 | Press Button |
162783 | Press Button |
1627837 | Press Button |
16278371 | Press Button |
16278371 | Press Button |
LCD display test
The KT-4 provides a test routine that checks all individual segments and icons of the LCD for proper operation.
To enable the test:
- Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button.
- The token cycles through a series of prompts:Init, Lcd, Chg PIN, and rESYNC. The prompts and sequence vary depending on the options enabled for the token. Press the button while the Lcd prompt is displayed.
- The token cycles through a series of displays that provide a visual indication of any malfunctioning segments or icons. The token shuts off automatically on completion of the test, depending on the time set for Automatic shut-off time.
Token initialization
The KT-4 can be reprogrammed as often as required to enable new options, encryption modes, and keys. SafeNet Authentication Service Manager and a USB token initializer are required.
To initialize a token:
- To prepare a KT token for initialization, start with the KT-4 token off, press and hold the KT-4 token button until the display shows Init (approximately 3-4 seconds).
- Release and quickly press the button again. The display shows the prompt rdY 4 Ir. The KT-4 token remains in the rdY 4 Ir state for approximately 1 minute. The token cannot be initialized while in any other state.
- Insert the token into the initializer with the LCD display facing into the initializer.
Follow the instructions on the SafeNet Authentication Service Manager. The token displays the TOKEN OK message on successful initialization. The token shuts off automatically 10-15 seconds after initialization.